Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

ZjH6H6xqo7.exe

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

initial sample

Details

Filetype:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy:	3.9202524936856595
Filename:	ZjH6H6xqo7.exe
Filesize:	44544
MD5:	16a1fbd21af85d43b1ac31bf1829a152
SHA1:	522a835acc8ec09d9d74d695fb9ebaed3b2d72ff
SHA256:	36589e0ed1c8a584dc014add50db2f2ac1c5a0cfac5403f7b7886b66e26a1d86
SHA512:	d5d46d0b8832e58b2857ca9daad28c0dea83ba11846894995ce01d05d1be93644a50996a6b66e41db9da00282216bb96fc6f05a4ca7111b2aee4330678c30672
SSDEEP:	768:5/EVNSVwafevGHkiV++I1gqDnJuuAuznQVLNvxu0BvkwIt6BcN4fet:5sVN7aeGEk+11Tu9AnQVLNppvk9RN4Gt
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................."...0.............B.... ........@.. ....................... ............`................................

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
.NET source code contains very large strings	System Summary
.NET source code references suspicious native API functions	HIPS / PFW / Operating System Protection Evasion	Native API
Allocates memory in foreign processes	HIPS / PFW / Operating System Protection Evasion
Compiles code for process injection (via .Net compiler)	HIPS / PFW / Operating System Protection Evasion
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion
LummaC encrypted strings found	HIPS / PFW / Operating System Protection Evasion	PowerShell
Machine Learning detection for sample	AV Detection
Writes to foreign memory regions	HIPS / PFW / Operating System Protection Evasion
Allocates memory with a write watch (potentially for evading sandboxes)	Malware Analysis System Evasion
Binary contains a suspicious time stamp	Data Obfuscation	Timestomp
Compiles C# or VB.Net code	Data Obfuscation
Contains long sleeps (>= 3 min)	Malware Analysis System Evasion
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Enables debug privileges	Anti Debugging
May sleep (evasive loops) to hinder dynamic analysis	Malware Analysis System Evasion
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection
Sample file is different than original file name gathered from version info	System Summary
.NET source code contains long base64-encoded strings	System Summary	Disable or Modify Tools
Contains medium sleeps (>= 30s)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Creates files inside the user directory	System Summary	Masquerading
Creates guard pages, often used to prevent reverse engineering and debugging	Anti Debugging	Disable or Modify Tools
Creates mutexes	System Summary
Creates temporary files	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Queries the cryptographic machine GUID	Language, Device and Operating System Detection	System Information Discovery
Reads software policies	System Summary
Sample is known by Antivirus	System Summary
Tries to load missing DLLs	System Summary	DLL Side-Loading
URLs found in memory or binary data	Networking
Uses an in-process (OLE) Automation server	System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\ZjH6H6xqo7.exe.log

CSV text

dropped

Details

File:	C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\ZjH6H6xqo7.exe.log
Category:	dropped
Dump:	ZjH6H6xqo7.exe.log.0.dr
ID:	dr_3
Target ID:	0
Process:	C:\Users\user\Desktop\ZjH6H6xqo7.exe
Type:	CSV text
Entropy:	5.345615485833535
Encrypted:	false
Ssdeep:	24:ML9E4KlKDE4KhKiKhPKIE4oKNzKoZAE4KzeR:MxHKlYHKh3oPtHo6hAHKzeR
Size:	847
Whitelisted:	false
Reputation:	moderate

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Machine Learning detection for sample	AV Detection
Binary contains a suspicious time stamp	Data Obfuscation	Timestomp
Sample file is different than original file name gathered from version info	System Summary
Creates files inside the user directory	System Summary	Masquerading
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

C:\Users\user\AppData\Local\Temp\up5gphgh\up5gphgh.0.cs

Unicode text, UTF-8 (with BOM) text, with CRLF line terminators

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\up5gphgh\up5gphgh.0.cs
Category:	dropped
Dump:	up5gphgh.0.cs.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\user\Desktop\ZjH6H6xqo7.exe
Type:	Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Entropy:	4.487855797297623
Encrypted:	false
Ssdeep:	192:eC2oTLpQgzLOoBwMw2kdl/kSpu/TuvnMHzrEx:tDLOoBol/kSpgCvMfM
Size:	10583
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Compiles code for process injection (via .Net compiler)	HIPS / PFW / Operating System Protection Evasion	Process Injection

C:\Users\user\AppData\Local\Temp\up5gphgh\up5gphgh.cmdline

Unicode text, UTF-8 (with BOM) text, with no line terminators

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\up5gphgh\up5gphgh.cmdline
Category:	dropped
Dump:	up5gphgh.cmdline.0.dr
ID:	dr_1
Target ID:	0
Process:	C:\Users\user\Desktop\ZjH6H6xqo7.exe
Type:	Unicode text, UTF-8 (with BOM) text, with no line terminators
Entropy:	4.973455014317479
Encrypted:	false
Ssdeep:	3:0HXEXA8F+H2R5BJiWR5mKWLRRUkh4E2J5xAIkFQEVyP0iQCIFRVRMxTPIUkh4E2B:pAu+H2L/6K2923fEbjzxszI923fEbM9
Size:	206
Whitelisted:	false
Reputation:	timeout

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: Dot net compiler compiles file from suspicious location	Data Obfuscation
Compiles C# or VB.Net code	Data Obfuscation
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Sigma detected: Dynamic .NET Compilation Via Csc.EXE	System Summary
Sigma detected: Dynamic CSharp Compile Artefact	System Summary
Spawns processes	System Summary	Process Injection

C:\Users\user\AppData\Local\Temp\up5gphgh\up5gphgh.dll

PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\up5gphgh\up5gphgh.dll
Category:	dropped
Dump:	up5gphgh.dll.2.dr
ID:	dr_5
Target ID:	2
Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy:	4.664111296042152
Encrypted:	false
Ssdeep:	96:KbuaQZGQf9xPQ2pCa/u67hHJif9IhbpPrjzKcaEZRcH0ljILHqrv5MqBTzeNc+iz:KCaQHf9WDa/u6VRj2ca7Uxd5MqReNcH
Size:	8704
Whitelisted:	false
Reputation:	timeout

Signature Hits	Behavior Group	Mitre Attack
Antivirus detection for dropped file	AV Detection
Machine Learning detection for dropped file	AV Detection
Drops PE files	Persistence and Installation Behavior
Found dropped PE file which has not been started or loaded	Malware Analysis System Evasion

C:\Users\user\AppData\Local\Temp\RES6781.tmp

Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x492, 9 symbols, created Sun Nov 24 08:41:24 2024, 1st section name ".debug$S"

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\RES6781.tmp
Category:	dropped
Dump:	RES6781.tmp.4.dr
ID:	dr_6
Target ID:	4
Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
Type:	Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x492, 9 symbols, created Sun Nov 24 08:41:24 2024, 1st section name ".debug$S"
Entropy:	3.991383819364011
Encrypted:	false
Ssdeep:	24:HLm9psJ6KHxwKTFexmfwI+ycuZhNSXakSTAPNnqSSd:Wk6K6KTAxmo1ulIa3UqSC
Size:	1336
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Spawns processes	System Summary	Process Injection

C:\Users\user\AppData\Local\Temp\up5gphgh\CSCE347F25DAC914FE0BD5774A121A2513C.TMP

MSVC .res

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\up5gphgh\CSCE347F25DAC914FE0BD5774A121A2513C.TMP
Category:	dropped
Dump:	CSCE347F25DAC914FE0BD5774A121A2513C.TMP.2.dr
ID:	dr_4
Target ID:	2
Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
Type:	MSVC .res
Entropy:	3.102451476879216
Encrypted:	false
Ssdeep:	12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5gryY4Yak7YnqqT4NPN5Dlq5J:+RI+ycuZhNSXakSTAPNnqX
Size:	652
Whitelisted:	false
Reputation:	low

C:\Users\user\AppData\Local\Temp\up5gphgh\up5gphgh.out

Unicode text, UTF-8 (with BOM) text, with CRLF, CR line terminators

modified

Details

File:	C:\Users\user\AppData\Local\Temp\up5gphgh\up5gphgh.out
Category:	modified
Dump:	up5gphgh.out.0.dr
ID:	dr_2
Target ID:	0
Process:	C:\Users\user\Desktop\ZjH6H6xqo7.exe
Type:	Unicode text, UTF-8 (with BOM) text, with CRLF, CR line terminators
Entropy:	5.2111508376695825
Encrypted:	false
Ssdeep:	12:KMi/qR37L/6KzsbjwsbM4KaxK4BFNn5KBZvK2wo8dRSgarZucvW3ZDPOU:KMoqdn6KzsbMsb/Kax5DqBVKVrdFAMBt
Size:	705
Whitelisted:	false
Reputation:	timeout

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\ZjH6H6xqo7.exe

"C:\Users\user\Desktop\ZjH6H6xqo7.exe"

Details

Is windows:	false
Is dropped:	false
PID:	5452
Target ID:	0
Parent PID:	1028
Name:	ZjH6H6xqo7.exe
Path:	C:\Users\user\Desktop\ZjH6H6xqo7.exe
Commandline:	"C:\Users\user\Desktop\ZjH6H6xqo7.exe"
Size:	44544
MD5:	16A1FBD21AF85D43B1AC31BF1829A152
Time:	02:35:32
Date:	24/11/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0xae0000
Modulesize:	73728
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Yara detected AntiVM3	Malware Analysis System Evasion
Machine Learning detection for sample	AV Detection
Sigma detected: Dot net compiler compiles file from suspicious location	Data Obfuscation
Binary contains a suspicious time stamp	Data Obfuscation	Timestomp
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample file is different than original file name gathered from version info	System Summary
Sigma detected: Dynamic .NET Compilation Via Csc.EXE	System Summary
Creates files inside the user directory	System Summary	Masquerading
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
Sigma detected: Dynamic CSharp Compile Artefact	System Summary
Spawns processes	System Summary	Process Injection
Binary contains paths to debug symbols	Compliance, System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\up5gphgh\up5gphgh.cmdline"

Details

Is windows:	true
Is dropped:	false
PID:	6480
Target ID:	2
Parent PID:	5452
Name:	csc.exe
Class:	system-tools
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\up5gphgh\up5gphgh.cmdline"
Size:	2141552
MD5:	EB80BB1CA9B9C7F516FF69AFCFD75B7D
Time:	02:35:35
Date:	24/11/2024
Reason:	newprocess
Reputation:	moderate
Is admin:	true
Is elevated:	true
Modulebase:	0xc00000
Modulesize:	2158592
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: Dot net compiler compiles file from suspicious location	Data Obfuscation
Compiles C# or VB.Net code	Data Obfuscation
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Sigma detected: Dynamic .NET Compilation Via Csc.EXE	System Summary
Spawns processes	System Summary	Process Injection

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe"

Details

Is windows:	true
Is dropped:	false
PID:	6392
Target ID:	5
Parent PID:	5452
Name:	RegAsm.exe
Class:	system-tools
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Commandline:	"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe"
Size:	65440
MD5:	0D5DF43AF2916F47D00C1573797C1A13
Time:	02:35:35
Date:	24/11/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0xe60000
Modulesize:	73728
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Allocates memory in foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Writes to foreign memory regions	HIPS / PFW / Operating System Protection Evasion	Process Injection
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Spawns processes	System Summary	Process Injection

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Details

Is windows:	true
Is dropped:	false
PID:	5428
Target ID:	3
Parent PID:	6480
Name:	conhost.exe
Path:	C:\Windows\System32\conhost.exe
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Size:	862208
MD5:	0D698AF330FD17BEE3BF90011D49251D
Time:	02:35:35
Date:	24/11/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff6d64d0000
Modulesize:	892928
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES6781.tmp" "c:\Users\user\AppData\Local\Temp\up5gphgh\CSCE347F25DAC914FE0BD5774A121A2513C.TMP"

Details

Is windows:	true
Is dropped:	false
PID:	6160
Target ID:	4
Parent PID:	6480
Name:	cvtres.exe
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
Commandline:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES6781.tmp" "c:\Users\user\AppData\Local\Temp\up5gphgh\CSCE347F25DAC914FE0BD5774A121A2513C.TMP"
Size:	46832
MD5:	70D838A7DC5B359C3F938A71FAD77DB0
Time:	02:35:35
Date:	24/11/2024
Reason:	newprocess
Reputation:	moderate
Is admin:	true
Is elevated:	true
Modulebase:	0xb60000
Modulesize:	45056
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

https://sector-essay.cyou/api

104.21.47.136

https://sector-essay.cyou/5

unknown

https://sector-essay.cyou/apij

unknown

http://147.45.44.131/infopage/tvh53.exe

147.45.44.131

thicktoys.sbs

http://147.45.44.131/infopage/tvh53.exeP

unknown

300snails.sbs

https://sector-essay.cyou/apiO

unknown

faintbl0w.sbs

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

unknown

https://sector-essay.cyou/apiC

unknown

3xc1aimbl0w.sbs

https://sector-essay.cyou/

unknown

http://147.45.44.131

unknown

https://sector-essay.cyou:443/apiMicrosoft

unknown

https://sector-essay.cyou/apie

unknown

https://sector-essay.cyou:443/api

unknown

There are 7 hidden URLs, click here to show them.

Domains

Name

Malicious

sector-essay.cyou

104.21.47.136

Details

Name:	sector-essay.cyou
IP:	104.21.47.136
TargetID:	-1
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Suricata IDS alerts for network traffic	Networking
Suricata IDS alerts with low severity for network traffic	Networking
Uses a known web browser user agent for HTTP communication	Networking	Application Layer Protocol
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
Posts data to webserver	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking
Uses secure TLS version for HTTPS connections	Compliance, Networking

IPs

Domain

Country

Malicious

104.21.47.136

sector-essay.cyou

United States

Details

IP:	104.21.47.136
TargetID:	5
Current Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Country:	United States
Countrycode:	USA
ASN number:	13335
ASN name:	CLOUDFLARENETUS
Private:	false
Domain:	sector-essay.cyou

Signature Hits	Behavior Group	Mitre Attack
Suricata IDS alerts for network traffic	Networking
Suricata IDS alerts with low severity for network traffic	Networking
Uses secure TLS version for HTTPS connections	Compliance, Networking

147.45.44.131

unknown

Russian Federation

Details

IP:	147.45.44.131
TargetID:	0
Current Path:	C:\Users\user\Desktop\ZjH6H6xqo7.exe
Country:	Russian Federation
Countrycode:	RUS
ASN number:	2895
ASN name:	FREE-NET-ASFREEnetEU
Private:	false

Signature Hits	Behavior Group	Mitre Attack
HTTP GET or POST without a user agent	Networking
Connects to IPs without corresponding DNS lookups	Networking
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
URLs found in memory or binary data	Networking

Registry

Path

Value

Malicious

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\ZjH6H6xqo7_RASAPI32

EnableFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\ZjH6H6xqo7_RASAPI32

EnableAutoFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\ZjH6H6xqo7_RASAPI32

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\ZjH6H6xqo7_RASAPI32

FileTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\ZjH6H6xqo7_RASAPI32

ConsoleTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\ZjH6H6xqo7_RASAPI32

MaxFileSize

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\ZjH6H6xqo7_RASAPI32

FileDirectory

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\ZjH6H6xqo7_RASMANCS

EnableFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\ZjH6H6xqo7_RASMANCS

EnableAutoFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\ZjH6H6xqo7_RASMANCS

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\ZjH6H6xqo7_RASMANCS

FileTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\ZjH6H6xqo7_RASMANCS

ConsoleTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\ZjH6H6xqo7_RASMANCS

MaxFileSize

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\ZjH6H6xqo7_RASMANCS

FileDirectory

There are 5 hidden registries, click here to show them.

Memdumps

Base Address

Regiontype

Protect

Malicious

400000

remote allocation

page execute and read and write

5702000

heap

page read and write

1070000

heap

page read and write

5BAE000

stack

page read and write

1551000

heap

page read and write

1520000

heap

page read and write

105E000

stack

page read and write

5727000

heap

page read and write

101E000

stack

page read and write

5CAF000

direct allocation

page read and write

2F10000

heap

page execute and read and write

501D000

stack

page read and write

1580000

trusted library allocation

page read and write

2FC4000

trusted library allocation

page read and write

1470000

heap

page read and write

5C20000

direct allocation

page read and write

F90000

heap

page read and write

582E000

stack

page read and write

5719000

heap

page read and write

5735000

heap

page read and write

3A18000

trusted library allocation

page read and write

2F98000

trusted library allocation

page read and write

139D000

stack

page read and write

BAE000

stack

page read and write

5702000

heap

page read and write

1407000

trusted library allocation

page execute and read and write

353D000

stack

page read and write

118E000

heap

page read and write

137E000

stack

page read and write

2FA0000

trusted library allocation

page read and write

FEE000

stack

page read and write

55C0000

heap

page read and write

367F000

stack

page read and write

592E000

stack

page read and write

456000

remote allocation

page execute and read and write

5CA0000

direct allocation

page read and write

5C00000

direct allocation

page read and write

55D0000

heap

page read and write

56F6000

heap

page read and write

53F9000

stack

page read and write

13C5000

heap

page read and write

1420000

trusted library allocation

page read and write

5520000

heap

page execute and read and write

551E000

stack

page read and write

11C2000

heap

page read and write

5CCA000

direct allocation

page read and write

13DD000

trusted library allocation

page execute and read and write

3985000

trusted library allocation

page read and write

15E9000

heap

page read and write

2F21000

trusted library allocation

page read and write

3988000

trusted library allocation

page read and write

122C000

heap

page read and write

15D3000

heap

page read and write

B4D000

stack

page read and write

5D10000

heap

page read and write

2F0E000

stack

page read and write

15F0000

heap

page read and write

13F7000

trusted library allocation

page execute and read and write

14DE000

stack

page read and write

3870000

heap

page read and write

5CE0000

direct allocation

page read and write

5719000

heap

page read and write

5672000

direct allocation

page read and write

1560000

heap

page read and write

AEE000

unkown

page readonly

152A000

heap

page read and write

5C70000

heap

page read and write

5724000

heap

page read and write

15F6000

heap

page read and write

161C000

heap

page read and write

EF9000

stack

page read and write

2F86000

trusted library allocation

page read and write

5630000

direct allocation

page read and write

5702000

heap

page read and write

5460000

heap

page read and write

5CAF000

direct allocation

page read and write

171F000

stack

page read and write

140B000

trusted library allocation

page execute and read and write

562E000

stack

page read and write

56DE000

heap

page read and write

5BEE000

stack

page read and write

5735000

heap

page read and write

2E8E000

stack

page read and write

122F000

heap

page read and write

54DD000

stack

page read and write

5710000

heap

page read and write

1545000

heap

page read and write

5732000

heap

page read and write

B00000

heap

page read and write

3F21000

trusted library allocation

page read and write

13FA000

trusted library allocation

page execute and read and write

5690000

direct allocation

page read and write

37FE000

stack

page read and write

133E000

stack

page read and write

1060000

heap

page read and write

557E000

stack

page read and write

F80000

heap

page read and write

AE0000

unkown

page readonly

13C0000

trusted library allocation

page read and write

13F0000

trusted library allocation

page read and write

1217000

heap

page read and write

5CF0000

trusted library section

page read and write

5670000

direct allocation

page read and write

5CEF000

stack

page read and write

37BE000

stack

page read and write

55BE000

stack

page read and write

13D3000

trusted library allocation

page execute and read and write

5702000

heap

page read and write

56F6000

heap

page read and write

160F000

heap

page read and write

158A000

heap

page read and write

13D4000

trusted library allocation

page read and write

36BE000

stack

page read and write

2F75000

trusted library allocation

page read and write

5C4F000

direct allocation

page read and write

3F89000

trusted library allocation

page read and write

155D000

stack

page read and write

13C0000

heap

page read and write

5C4F000

direct allocation

page read and write

56C8000

heap

page read and write

2F78000

trusted library allocation

page read and write

5681000

direct allocation

page read and write

15C0000

trusted library allocation

page read and write

4FFC000

stack

page read and write

1750000

heap

page read and write

1740000

trusted library allocation

page read and write

56E2000

heap

page read and write

573A000

heap

page read and write

5A6E000

stack

page read and write

B8C000

stack

page read and write

5732000

heap

page read and write

BF0000

heap

page read and write

1180000

heap

page read and write

56E5000

heap

page read and write

3F29000

trusted library allocation

page read and write

571F000

heap

page read and write

1067000

heap

page read and write

56DD000

heap

page read and write

157C000

heap

page read and write

1075000

heap

page read and write

39DC000

trusted library allocation

page read and write

99D000

stack

page read and write

572D000

heap

page read and write

1756000

heap

page read and write

2F83000

trusted library allocation

page read and write

1340000

heap

page read and write

5735000

heap

page read and write

570E000

heap

page read and write

397F000

stack

page read and write

55C5000

heap

page read and write

1609000

heap

page read and write

135F000

stack

page read and write

2F7D000

trusted library allocation

page read and write

13E0000

trusted library allocation

page read and write

357E000

stack

page read and write

5727000

heap

page read and write

1402000

trusted library allocation

page read and write

125E000

stack

page read and write

12FB000

stack

page read and write

56E4000

heap

page read and write

BF0000

heap

page read and write

3A80000

heap

page read and write

FD0000

heap

page read and write

2ECD000

stack

page read and write

56FD000

heap

page read and write

118A000

heap

page read and write

343D000

stack

page read and write

56C0000

heap

page read and write

5725000

heap

page read and write

56F2000

heap

page read and write

F0B000

stack

page read and write

56FA000

heap

page read and write

5C40000

direct allocation

page read and write

5735000

heap

page read and write

5BE0000

direct allocation

page read and write

117E000

stack

page read and write

56E1000

heap

page read and write

155A000

heap

page read and write

1570000

trusted library allocation

page execute and read and write

5739000

heap

page read and write

564D000

direct allocation

page read and write

2F8B000

trusted library allocation

page read and write

596E000

stack

page read and write

15E2000

heap

page read and write

5C80000

direct allocation

page read and write

15E0000

heap

page read and write

AE2000

unkown

page readonly

A9C000

stack

page read and write

5AAE000

stack

page read and write

5BC0000

heap

page read and write

2FFF000

stack

page read and write

3980000

trusted library allocation

page read and write

1380000

heap

page read and write

39BC000

trusted library allocation

page read and write

5BBF000

stack

page read and write

5722000

heap

page read and write

1400000

trusted library allocation

page read and write

5676000

direct allocation

page read and write

572F000

stack

page read and write

1570000

heap

page read and write

146E000

stack

page read and write

5CC0000

direct allocation

page read and write

56F7000

heap

page read and write

F70000

heap

page read and write

11B5000

heap

page read and write

59BF000

stack

page read and write

572C000

heap

page read and write

B50000

heap

page read and write

There are 198 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
ZjH6H6xqo7.exe

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportZjH6H6xqo7.exe

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

IOC Report
ZjH6H6xqo7.exe